NOTE: A vulnerability was discovered in the mod_cas Apache module. It is recommend that ALL deployers upgrade to mod_auth_cas immediately. mod_auth_cas is not affected by the vulnerability and is the currently supported Apache module.

The Yale CAS client distribution includes modules for Apache which serve as a CAS 1.0 casclient. See AuthCAS for an alternative implementation of an Apache (mod_perl) module for CAS authentication which offers additional features.

We now have a mod_cas patch below for apache2 that contributes support for apache directives for all configuration items. It also contains some changes to logging. mod_cas now has the capability of logging to the apache logs. All that needs to be done, is for someone to turn on the debug directive.

You may also want to try the RPMs. There is a pre-built one for RH AS3, and one that will build mod_cas from source for you. See the attachments below.

Please note this is not extensively tested at this time. I believe there is still a little bit of work to be done. We plan on testing this here at Athabasca University within the next little while (currently May 27th, 2005). This modification was written by Trenton D. Adams and anonymous. If someone knows who anonymous is, let me know. I will search my email soon to see if I can find out who it was that helped me. We will soon contribute a binary RPM as well as a source RPM, which will automatically suck down the patch, and build against it.

Starting with the Case mod_cas distribution as a base Carl Harris wrote a modification to support the XML objects returned by CAS 2 and up. It was also modified to support a chain of trusted CA certificates, rather than a single certificate. The attached mod_cas-VATECH.tar.gz can be used with the instructions posted on the Case wiki to produce the improved mod_cas. The CASTrustedCerts directive can now point to a file containing a trusted CA cert chain.

For a documented sample Apache configuration file, Andrew Feller has provided a base for new and experienced deployers to use; see the mod_cas-VATECH.conf attachment.

TODO: The ssl_verify.c module in mod_cas is rather monolithic and inelegant. It could really stand to be significantly refactored.TODO: OpenSSL has options for getting the trusted CA cert chain as a single file or as a directory. The directory option is not currently implemented in mod_cas-VATECH, but should be added.

When not to use MOD_CAS

directories of images files should be moved out from under mod_cas protection because browsers (IE 6 & Firefox 1.06) do not know how to handle the redirects for the requests for images embedded in an HTML page

directories of CSS files should be moved out from under mod_cas protection for the same reasons

mod_cas cannot be used with server generated images where scripts return an image stream

7 Comments

The README shows that this mod_cas module can only be used with CAS 1.0 architecture.

I find that inside the source, when the CAS_Validate function checks the response from CAS Server, it only checks CAS 1.0 architecture with "yes or no" response.

Then it is not compartible with CAS 2.0 with the following response:-
<cas:serviceResponse xmlns:cas='http://www.yale.edu/tp/cas'>
<cas:authenticationSuccess>
<cas:user>NetID</cas:user>
</cas:authenticationSuccess>
</cas:serviceResponse>

But I find that, this module may work with CAS 2.0 when I just change the ssl_client.c line around 180:
if (strncmp(str, "yes", 3) FAIL;
to:
if (!strstr(str, "authenticationSuccess")) FAIL;

CAS clients also need to check what netid it is that is authenticated. Presumably ssl_client.c currently looks at the second line of the CAS 1.0 ticket validation response? This would need to instead look at the <cas:user/> element of the CAS 2.0 service response.

Any plan to refactor MOD_CAS to MOD_AUTHN_CAS which follows Apache 2.1/2.2 Authn/Authz framework? This allows other AUTHZ providers to implement the access control which is more consistent and flexible.

The mod_dir.c which comes with mod_cas does not support the DirectorySlash directive (which is in the standard mod_dir since Apache 2.0.51). Is there any reason (from the CAS perspective) to NOT add it in, based on the standard mod_dir, or is the reason for it not being there just that it's based on mod_dir prior to 2.0.51?